SIM Swap Fraud Spotlights Biometrics, Behavioral Analytics as Defense

Digitizing Payments In Latin America February 2022 - Discover why payments providers can help Mexican merchants serve their consumers' growing appetites for digital payments

The mobile phone, increasingly, is becoming the means through which criminals are impersonating unwitting victims, and stealing from them.

The FBI said earlier this month in an official warning that Subscriber Identity Module – or SIM – swapping scams are gaining popularity.

The schemes target fiat and crypto accounts.  As to just how quickly those scams have gained currency (pun intended): From January 2018 to December 2020, the FBI Internet Crime Complaint Center (IC3) received 320 complaints related to SIM swapping incidents with losses of about $12 million. In 2021, IC3 received 1,611 SIM swapping complaints with adjusted losses of more than $68 million.

In a SIM swap, the bad actors convince mobile carriers to switch a would-be victim’s mobile number to a SIM card that the criminal has in hand.  Various techniques are used to get the carrier to make the switch, the FBI reported — including phishing, where the fraudster has enough information to “trick” the carrier into switching the number to the new card. In some cases, criminals pay off mobile carrier employees to switch the number.

What Happens After the Switch  

After the switch is made, the criminal can send “Forgot Password” or “Account Recovery” requests to the victim’s email and other online accounts associated with the victim’s cellphone number.

“Using SMS-based two-factor authentication, mobile application providers send a link or one-time passcode via text to the victim’s number, now owned by the criminal, to access accounts,”  the FBI reported.  Calls, texts and all manner of data now flow to the new device, and resetting the passwords and logging in gives the thief access to the accounts, while shutting legitimate users out. In the meantime, the thieves tap into bank and crypto accounts and drain them.

We note that the FBI’s warnings are somewhat standard ones — cautioning individuals not to advertise information about financial assets on social media (that includes crypto, of course). The FBI also recommends that requests for mobile account information over the phone should be verified by directly contacting the mobile carrier’s customer service line.

Last month, as noted in this space, T-Mobile said that it was aware of SIM attacks that have impacted a “very small” number of customers.

Grappling with false identities is a problem that bedevils all corners of the financial services industry.  PYMNTS data revealed that 54% of peer-to-peer (P2P) lenders, 47% of banks or credit unions and 43% of car dealerships have wrestled with false identities resulting from their authentication systems.

Beyond vigilance by consumers, there are other ways to counteract SIM swap. Keep in mind that the card itself is housed within a device — and the device itself, or rather how the device is used, that can be a “tell” of whether misdeeds are afoot.

Biometrics is one avenue of defense, behavioral analytics another.  As noted last year in an interview with PYMNTS, Rosemary O’Neill, director of customer delivery for NuData Security (in the EU) said that these advanced technologies can “build up profiles that separate good users from fraudsters.”

Granular insight into how legitimate users hold their devices, key in their information (and how smoothly that info is typed) can all give a holistic view of a customer, she said.

“By analyzing all of the intelligence from the device, we’re able to create a unique device identifier that recognizes the same information anytime a user comes back,” she told PYMNTS.

Read here: Passive Biometrics Help Battle SIM Swap Fraud

Beyond the SIM attacks, the urgency is there to establish better ID and authentication protocols.  As reported last week, Neuro-ID CEO Jack Alton told PYMNTS’ Karen Webster that there’s a digital identity crisis confronting any firm that relies on internet interactions. Alton said analytics platforms such as Neuro-ID’s can assess identities by parsing 300 million digital onboarding journeys. Platforms and advanced data analytics, he said, will be among key lines of defense in the future.

“There will be a continuous cat-and-mouse game of staying one step ahead of the fraudsters and having some sort of proactive protection,” he told Webster. “Once people see the power that behavioral data has in stopping fraud, they can’t unsee it.”

Read more: Behavioral Analytics Turn the Tables on Fake Accounts